| 18 Nov 2025 |
 Randy Eckenrode | It supports multiple TLS implementations. The latter is the one that does platform integration on Darwin platforms. | 19:00:52 |
 WeetHet | rustls also supports native keychain via https://lib.rs/crates/rustls-native-certs so even without Secure.framework someone might want to use keychain | 19:04:07 |
| WeetHet | I'm not sure what sandbox privileges it needs though | 19:04:21 |
| WeetHet | com.apple.SecurityServer is seemingly a Secure.framework thing | 19:07:01 |
| WeetHet | * com.apple.SecurityServer is seemingly a Secure.framework thing | 19:07:07 |
| WeetHet | Okay it fails on an unrelated thing, because it tries to access system proxy by default and gets
2025-11-18 21:23:01.093926+0200 localhost kernel[0]: (Sandbox) Sandbox: test-native(79417) deny(1) mach-lookup com.apple.SystemConfiguration.configd
| 19:29:06 |
|  jopejoe1 (4094@39c3) changed their display name from jopejoe1 to jopejoe1 (4094@39c3). | 20:18:53 |
| WeetHet | Why don't you work...
fetched-content> Error: reqwest::Error { kind: Request, url: "https://dummyjson.com/test", source: hyper_util::client::legacy::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) } }) }
building of '/nix/store/z3lg2ccma5grszxmkwdwvibdzlpd2gl0-fetched-content.drv^out' from .drv file: build done
killing process 71696
builder process for '/nix/store/z3lg2ccma5grszxmkwdwvibdzlpd2gl0-fetched-content.drv' finished
killing all processes running under uid '351'
lock released on '/nix/store/vjl83xzpf5nxihbp164nm7n1dakl85pj-fetched-content.lock'
building of '/nix/store/z3lg2ccma5grszxmkwdwvibdzlpd2gl0-fetched-content.drv^out' from .drv file: done
building of '/nix/store/z3lg2ccma5grszxmkwdwvibdzlpd2gl0-fetched-content.drv^out' from .drv file: goal destroyed
error: builder for '/nix/store/z3lg2ccma5grszxmkwdwvibdzlpd2gl0-fetched-content.drv' failed with exit code 1;
last 1 log lines:
> Error: reqwest::Error { kind: Request, url: "https://dummyjson.com/test", source: hyper_util::client::legacy::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) } }) }
For full logs, run:
nix-store -l /nix/store/z3lg2ccma5grszxmkwdwvibdzlpd2gl0-fetched-content.drv
| 21:06:53 |
| Randy Eckenrode | Invalid certificate this time. Is the CA supposed to be in Keychain? | 21:10:24 |
| WeetHet | I'm working through the sandbox errors | 21:11:00 |
| WeetHet | For now I'm just allowing everything that fails | 21:11:11 |
| WeetHet | Then I'm gonna minimise the profile | 21:11:34 |
| WeetHet | This is for
[package]
name = "test-native"
version = "0.1.0"
edition = "2024"
[dependencies]
tokio = { version = "1.48.0", features = ["macros", "rt-multi-thread"] }
[dependencies.reqwest]
version = "0.12.24"
default-features = false
features = [
"rustls-tls-native-roots",
"charset",
"http2",
"system-proxy"
]
| 21:12:14 |
| WeetHet | Fixing the system-proxy failure was easy but rustls-tls-native-roots does something weird | 21:13:13 |
| WeetHet | It's not pretty:
; Allow system proxy
(allow mach-lookup (global-name "com.apple.SystemConfiguration.configd"))
; Allow native TLS
(allow mach-lookup
(global-name "com.apple.SecurityServer"))
(allow file-read-data
(literal "/Library/Keychains/System.keychain")
(literal "/System/Library/Keychains/SystemRootCertificates.keychain")
(literal "/System/Library/Keychains/SystemTrustSettings.plist"))
(allow file-read-metadata
(literal "/Library/Keychains/System.keychain")
(literal "/System/Library/Keychains/SystemRootCertificates.keychain")
(literal "/System/Library/Keychains/SystemTrustSettings.plist"))
| 21:40:48 |
| WeetHet | * It's not pretty:
; Allow system proxy
(allow mach-lookup (global-name "com.apple.SystemConfiguration.configd"))
; Allow native TLS
(allow mach-lookup
(global-name "com.apple.SecurityServer"))
(allow file-read-data
(literal "/Library/Keychains/System.keychain")
(literal "/System/Library/Keychains/SystemRootCertificates.keychain")
(literal "/System/Library/Keychains/SystemTrustSettings.plist"))
| 21:42:26 |
| WeetHet | Need to test with an actual nix-build still but I think this is all | 21:43:08 |
| WeetHet | * It's not pretty:
; Allow system proxy
(allow mach-lookup (global-name "com.apple.SystemConfiguration.configd"))
; Allow native TLS
(allow mach-lookup (global-name "com.apple.SecurityServer"))
(allow file-read-data
(literal "/Library/Keychains/System.keychain")
(literal "/System/Library/Keychains/SystemRootCertificates.keychain")
(literal "/System/Library/Keychains/SystemTrustSettings.plist"))
| 21:44:34 |
| WeetHet | None of these can be removed | 21:44:50 |
| WeetHet | Wait it doesn't work | 21:47:15 |
| WeetHet | Wait what | 22:28:27 |
| WeetHet | declare -x NIX_SSL_CERT_FILE="/private/tmp/2412pn9wp2vk7abqp0glq967n4/etc/ssl/certs/ca-certificates.crt"
declare -x SSL_CERT_FILE="/no-cert-file.crt"
| 22:28:42 |
| WeetHet | Huh | 22:28:45 |
| Randy Eckenrode | Is this Lix 2.94? | 22:29:29 |
| WeetHet | Yes | 22:30:22 |
| WeetHet | But lix doesn't set SSL_CERT_FILE at all | 22:30:34 |
| WeetHet | It's nixpkgs/pkgs/stdenv/generic/setup.sh's fault | 22:30:46 |
| WeetHet | * It's pkgs/stdenv/generic/setup.sh's fault | 22:30:51 |
| WeetHet | if [[ -z "${NIX_SSL_CERT_FILE:-}" && "${IN_NIX_SHELL:-}" != "impure" ]]; then
export NIX_SSL_CERT_FILE=/no-cert-file.crt
fi
# Another variant left for compatibility.
if [[ -z "${SSL_CERT_FILE:-}" && "${IN_NIX_SHELL:-}" != "impure" ]]; then
export SSL_CERT_FILE=/no-cert-file.crt
fi
| 22:30:59 |
| Randy Eckenrode | https://docs.lix.systems/manual/lix/stable/release-notes/rl-2.94.html
Global certificate authorities are copied inside the builder's environment gh#12698 fj#885 cl/3765
| 22:31:21 |
